Show HN: Pangolin – Open source alternative to Cloudflare Tunnels

Original Article ↗ Hacker News Discussion ↗

Architecture & Components

  • Pangolin is described as a control plane and auth layer built around existing components:
    • Traefik for HTTP reverse proxying.
    • A Traefik plugin (“Badger”) to authenticate every request against Pangolin.
    • “Gerbil” as a WireGuard management service.
    • “Newt” as a userspace WireGuard client (based on wireguard-go + netstack) running on the edge/home side; no privileged container or kernel module required.
  • Newt negotiates tunnels to a VPS with a static IP and then proxies local LAN services through that tunnel.

Primary Use Cases & Motivations

  • Persistent, public, authenticated access to homelab / internal apps (Immich, Grafana, Home Assistant, Plex/Jellyfin/Emby, Rustdesk, etc.) for friends/family or small orgs.
  • Working around ISP issues: blocked ports, dynamic IPs, or unwillingness to expose home IP directly.
  • Multi-site or distributed environments; an alternative to hand-rolled WireGuard + reverse proxy setups.
  • Public ingress to private/cloud environments (e.g., AWS VPC) with auth, complementing or replacing Caddy/nginx/Twingate.
  • Some see it as a simpler one-stop replacement for “manual” stacks (WireGuard + VPS proxy + certbot + user management).

Comparison to Other Tools

  • Positioned as:
    • Alternative to Cloudflare Tunnels, ngrok, Zscaler for “public ingress with browser-based auth”, not a mesh VPN.
    • Different from Tailscale/NetBird/headscale, which are for private mesh networking; Pangolin focuses on exposing services publicly with fine-grained auth (users, roles, OIDC, PINs).
  • Compared favorably to nginx-proxy-manager style setups when advanced auth and integrated tunneling are needed.
  • Mentioned alongside frp, zrok/OpenZiti, and a long list of OSS tunnels; commenters see Pangolin as unusually polished with a strong web UI.

Security, Privacy & Risk

  • Worst-case scenarios discussed: tunnel/VPS compromise granting network access, or auth bypass exposing internal web UIs.
  • No formal third‑party audit yet; maintainers explicitly invite pen-testing and plan audits when resources allow.
  • Debate over trust: running on a VPS means TLS termination or decrypted traffic there; some prefer TLS passthrough so keys remain on-prem.
  • For purely private admin access, several commenters still recommend SSH port forwarding, plain WireGuard, or Tailscale.

Deployment, Ops & UX

  • Works well in Docker Compose; Docker Swarm and Kubernetes integration are of interest but not clearly documented.
  • Supports multiple domains on one VPS and can front existing reverse proxies or app platforms (e.g., Dokploy, caprover).
  • Docs are considered decent but users request more scenario-based tutorials; a docs revamp is planned.
  • UI is praised as sleek and significantly more discoverable than Cloudflare’s Tunnels UX, which some find deeply buried.
  • Dual-licensed (AGPL + commercial) with a concise CLA; contributors so far reportedly accept this without issue.